stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

partly or unimplemented features - now implemented

Browse Source
This commit is contained in:
master
2026-02-09 08:53:51 +02:00
parent 1bf6bbf395
commit 4bdc298ec1
674 changed files with 90194 additions and 2271 deletions
Download Patch File Download Diff File Expand all files Collapse all files

126
docs/modules/cli/architecture.md
View File

@@ -142,7 +142,76 @@ See [migration-v3.md](./guides/migration-v3.md) for user-facing migration instru
* `export sbom <digest> [--view ... --format ... --out file]` — download artifact.
* `sbom upload --file <path> --artifact <ref> [--format cyclonedx|spdx]` - BYOS upload into the scanner analysis pipeline (ledger join uses the SBOM digest).
* `report final <digest> [--policy-revision ... --attest]` — request PASS/FAIL report from backend (policy+vex) and optional attestation.
### 2.3.1 Compare Commands & Baseline Selection (SPRINT_20260208_029)
The `compare` command group supports diffing scan snapshots with automatic baseline resolution.
#### Commands
* `compare diff --base <digest> --target <digest>` â€" Full comparison showing detailed diff.
* `compare summary --base <digest> --target <digest>` â€" Quick summary of changes.
* `compare can-ship --base <digest> --target <digest>` â€" Check if target passes policy (exit code: 0=pass, 1=fail).
* `compare vulns --base <digest> --target <digest>` â€" List vulnerability changes only.
#### Baseline Selection Strategies
All compare commands support `--baseline-strategy` for automatic baseline resolution:
| Strategy | Description | Requirements |
|----------|-------------|--------------|
| `explicit` (default) | Uses the digest provided via `--base` | `--base` required |
| `last-green` | Selects most recent passing snapshot | `--artifact` required |
| `previous-release` | Selects previous release tag from registry metadata | `--artifact` required |
**Options:**
* `--baseline-strategy <explicit|last-green|previous-release>` â€" Strategy for baseline selection
* `--artifact <purl|oci-ref>` â€" Artifact identifier for auto-resolution strategies
* `--current-version <tag>` â€" Current version (helps `previous-release` find older releases)
* `--verification-report <path>` - Attach `bundle verify --output json` checks to compare output (hash/signature overlay)
* `--reverify-bundle <directory>` - Recompute artifact hash and DSSE-sidecar status from local evidence bundle for live re-verification
* `--determinism-manifest <path>` - Attach determinism manifest score/threshold summary to compare output
**Examples:**
```bash
# Explicit baseline (traditional)
stella compare can-ship --base sha256:abc123 --target sha256:def456
# Auto-select last green baseline
stella compare can-ship --target sha256:def456 \
--baseline-strategy last-green \
--artifact pkg:oci/myapp
# Use previous release as baseline
stella compare can-ship --target sha256:def456 \
--baseline-strategy previous-release \
--artifact pkg:oci/myapp \
--current-version v2.0.0
# Compare diff with inline verification overlay and determinism context
stella compare diff --base sha256:abc123 --target sha256:def456 \
--verification-report ./verify-report.json \
--reverify-bundle ./evidence-bundle \
--determinism-manifest ./determinism.json
```
**Resolution Behavior:**
* `last-green`: Queries forensic snapshot store for latest artifact snapshot with `verdict:pass` tag.
* `previous-release`: Queries for release-tagged snapshots, excludes `--current-version`, returns most recent.
* Both strategies show suggestions when resolution fails.
* Verification overlay: `compare diff` can now include per-artifact `hash`/`signature` status plus determinism score context in table and JSON outputs.
**Service Interface:**
```csharp
public interface IBaselineResolver
{
Task<BaselineResolutionResult> ResolveAsync(BaselineResolutionRequest request, CancellationToken ct);
Task<IReadOnlyList<BaselineSuggestion>> GetSuggestionsAsync(string artifactId, CancellationToken ct);
}
```
### 2.4 Policy & data
* `policy get/set/apply` — fetch active policy, apply staged policy, compute digest.
@@ -243,6 +312,12 @@ Both subcommands honour offline-first expectations (no network access) and norma
* Calls advisory chat endpoints, returns a cited answer with evidence refs.
* `--no-action` disables action proposals; `--evidence` forces evidence chips in output.
* `--file <queries.jsonl>` processes newline-delimited JSON batch requests (`{"query":"..."}` or JSON string lines) and emits deterministic per-line results in `json|table|markdown` format.
* `advise export [--conversation-id <id>] [--tenant <tenant>] [--user <user>] [--limit <n>] [--format <json|table|markdown>] [--output <file>]`
* Exports advisory conversation history through the existing AdvisoryAI conversation endpoints (`/v1/advisory-ai/conversations`).
* When no `--conversation-id` is provided, the CLI lists conversations for the scope and fetches each conversation deterministically by `conversationId` before rendering.
### 2.12 Decision evidence (new)
@@ -268,6 +343,15 @@ All verbs require scopes `policy.findings:read`, `signer.verify`, and (for Rekor
- CLI outbound HTTP flows (Authority auth, backend APIs, advisory downloads) route through `StellaOps.AirGap.Policy`. When sealed mode is active the CLI refuses commands that would require external egress and surfaces the shared `AIRGAP_EGRESS_BLOCKED` remediation guidance instead of attempting the request.
### 2.14 Unknowns export artifacts
- `unknowns export [--band <hot|warm|cold|all>] [--format <json|csv|ndjson>] [--schema-version <value>] [--output <path>]`
* `json` now emits a deterministic export envelope with `schemaVersion`, `exportedAt`, `itemCount`, and sorted `items`.
* `csv` prepends a schema metadata comment (`schema_version`, `exported_at`, `item_count`) before the column header.
* `ndjson` emits a metadata header line followed by schema-scoped item lines.
* The formal contract artifact for the JSON envelope is at `src/Cli/StellaOps.Cli/Commands/Schemas/unknowns-export.schema.json`.
---
## 3) AuthN: Authority + DPoP
@@ -553,7 +637,43 @@ script:
## 20) Test matrix (OS/arch)
* Linux: ubuntu‑20.04/22.04/24.04 (x64, arm64), alpine (musl).
* macOS: 13–15 (x64, arm64).
* Linux: ubuntu20.04/22.04/24.04 (x64, arm64), alpine (musl).
* macOS: 1315 (x64, arm64).
* Windows: 10/11, Server 2019/2022 (x64, arm64).
* Docker engines: Docker Desktop, containerd‑based runners.
* Docker engines: Docker Desktop, containerdbased runners.
## 21) OCI Referrers for Evidence Storage
### 21.1 Overview
Two new evidence sub-commands enable native OCI Referrers API integration:
| Command | Purpose |
| --- | --- |
| `stella evidence push-referrer` | Push an evidence artifact as an OCI referrer attached to a subject digest |
| `stella evidence list-referrers` | List all OCI referrers for a given artifact, with optional artifact-type filter |
### 21.2 Push Referrer
Options: `--image` (required), `--artifact-type` (required), `--file` (required), `--annotation` (repeatable), `--offline`.
Builds an OCI image manifest v2 with `subject` field pointing to the target
digest. The evidence file becomes a single layer. Config is the OCI empty
descriptor. Annotations are passed through to the manifest.
`--offline` mode simulates the push locally without network, producing the
manifest JSON on stdout for auditing.
### 21.3 List Referrers
Options: `--image` (required), `--digest` (optional), `--artifact-type` (filter), `--format` (table|json), `--offline`.
Uses `IOciRegistryClient.GetReferrersAsync()` (already implemented) to query
the registry's Referrers API. `--offline` returns simulated data for testing.
### 21.4 Implementation
- `EvidenceReferrerCommands.cs` static command builder class following existing pattern
- Wired into `EvidenceCommandGroup.BuildEvidenceCommand()` alongside existing sub-commands
- Reuses `IOciRegistryClient` and OCI models from `StellaOps.Cli.Services`
- 25 unit tests in `EvidenceReferrerCommandTests.cs`